CVE-2016-3393

What Is the Windows Graphics Device Interface (GDI)?

The Windows Graphics Device Interface (GDI) is a core Windows subsystem responsible for rendering graphics, fonts, and images on screen and to printers. GDI is used by virtually every Windows application — including Office, Internet Explorer, Windows Explorer, and web browsers — to display text, icons, and graphics. Because GDI processing is triggered by user actions as mundane as viewing a folder of images or opening an Office document, vulnerabilities in GDI processing represent a broad attack surface.

GDI processes many image and font formats (EMF, WMF, fonts embedded in documents), and parsing complex binary formats in privileged kernel or GDI subsystem code creates persistent opportunities for memory corruption vulnerabilities. The Windows GDI has been a recurring source of high-severity CVEs throughout Windows' history.

Overview

CVE-2016-3393 is a remote code execution vulnerability in the Windows Graphics Device Interface arising from improper handling of memory objects during GDI rendering. An attacker who persuades a user to open a specially crafted document or visit a malicious web page can trigger GDI to process a malformed graphic element, causing memory corruption that enables arbitrary code execution at the privilege level of the logged-in user. Patched in MS16-120 (October 11, 2016). CISA added CVE-2016-3393 to the KEV catalog on May 25, 2022.

Affected Versions

Technical Details

Root Cause: Out-of-Bounds Write in GDI Memory Object Handling

CVE-2016-3393 is an out-of-bounds write vulnerability (CWE-787) in the Windows GDI component's handling of certain memory objects during graphics rendering. The GDI processes image or graphics data from user-supplied content (embedded images, EMF/WMF metafiles, fonts in documents) and performs memory operations on parsed values. A specially crafted graphic element causes the GDI to write data outside the bounds of an allocated buffer — corrupting adjacent memory structures.

In the Windows GDI/GDI+ subsystem:

1. Crafted graphic element parsed — the document or web page contains a malformed image, metafile, or embedded graphic object
2. Memory arithmetic flaw — GDI computes an incorrect buffer size or offset based on attacker-controlled values
3. Out-of-bounds write — GDI writes graphic data past the end of the allocated buffer, corrupting adjacent heap or kernel data structures
4. Code execution — the corruption is leveraged (via controlled heap layout or object reuse) to redirect execution to attacker-controlled code

Attack Surface: Documents and Web Pages

GDI rendering is triggered by a wide variety of user actions:

• Opening a crafted Office document (Word, Excel, PowerPoint with embedded graphics)
• Visiting a malicious web page that triggers IE or Edge to render a crafted image
• Previewing an image file in Windows Explorer (thumbnail generation invokes GDI)
• Opening a crafted PDF containing embedded graphics (via Adobe Reader or Windows PDF viewer)

This breadth of triggering conditions makes GDI RCE vulnerabilities valuable for both web-based drive-by attacks and document-based phishing campaigns.

Attack Characteristics

Discovery

Identified through Microsoft security research and responsible disclosure; patched in MS16-120 (October 2016 Microsoft Graphics Component Security Update), which addressed multiple GDI and graphics-related memory corruption vulnerabilities.

Exploitation Context

• GDI as persistent vulnerability class: The Windows GDI has been a recurring vulnerability source — MS16-120 addressed multiple GDI issues simultaneously, and GDI-related CVEs appeared in many subsequent Patch Tuesday cycles; the complex parsing of legacy Windows Metafile (WMF/EMF) formats continues to generate memory safety issues
• Document-based phishing: GDI vulnerabilities triggered by Office documents are particularly valuable for spear-phishing campaigns targeting enterprise users; the attack blends in with legitimate document workflows and does not require macro execution or macro security bypass
• Wide Windows version coverage: CVE-2016-3393 affects all Windows versions from Vista through Server 2016, providing a consistent exploitation target across the heterogeneous Windows deployments common in enterprise environments
• Exploitation without network connectivity: Unlike network-facing server vulnerabilities, GDI exploitation through documents works even on systems with strict egress filtering — the malicious document is delivered via email and exploited entirely locally
• CISA KEV (2022): Added May 2022, reflecting confirmed active exploitation

Remediation

1. Apply MS16-120 — install the October 2016 Microsoft Graphics Component security update via Windows Update, WSUS, or MECM. All subsequent cumulative Windows updates include this fix.

2. Maintain monthly Windows patching — GDI vulnerabilities are patched regularly in Patch Tuesday cumulative updates; a current patch level protects against all known GDI vulnerabilities.

3. Enable Protected View in Office — Microsoft Office Protected View opens documents from email attachments and downloaded files in a restricted sandbox that blocks GDI-based exploitation; ensure Protected View is enabled and not overridden by users or Group Policy.

4. Block execution of untrusted documents — use Microsoft Defender Attack Surface Reduction (ASR) rules to block Office applications from creating child processes, and configure email filtering to quarantine or strip executable attachments.

5. Upgrade from end-of-life Windows — Windows Vista, 7, and Server 2008 are no longer supported; GDI vulnerabilities discovered after their EOL dates receive no patches. Migrate to Windows 10/11 or Windows Server 2022.